b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                     Risk Management Efforts Could Be\n                  Improved With Clearly Defined Procedures\n                     and Expanded Information Sharing\n\n\n\n                                       September 2, 2011\n\n                              Reference Number: 2011-10-096\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | TIGTACommunications@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                     HIGHLIGHTS\n\n\nRISK MANAGEMENT EFFORTS COULD                           TIGTA believes the IRS can better ensure its\nBE IMPROVED WITH CLEARLY DEFINED                        risk management activities are effectively\nPROCEDURES AND EXPANDED                                 coordinated and its resources are allocated\nINFORMATION SHARING                                     efficiently to manage those risks that may impact\n                                                        its ability to achieve organizational goals.\n                                                        TIGTA also determined that the IRS\xe2\x80\x99s\nHighlights                                              Modernization and Information Technology\n                                                        Services (MITS) organization is in the early\nFinal Report Issued on September 2, 2011                stages of developing a more formalized risk\n                                                        management framework supported by a\nHighlights of Reference Number: 2011-10-096             dedicated executive. This initiative should be\nto the Internal Revenue Service Chief Financial         monitored by the IRS to study the potential\nOfficer and Director, Office of Research,               benefits and the costs and steps involved in\nAnalysis, and Statistics.                               moving long term towards a more formal\n                                                        IRS-wide risk management process.\nIMPACT ON TAXPAYERS\n                                                        WHAT TIGTA RECOMMENDED\nThe Federal Government should be effective\nand spend taxpayer dollars wisely. The                  TIGTA recommended that the Chief Financial\nproactive management of organization-level              Officer develop procedures to guide the risk\nrisks is critical to the Internal Revenue               management activities of the ESCs, require the\nService\xe2\x80\x99s (IRS) ability to both meet its strategic      ESCs to post risk information in a readily\nobjectives and provide stakeholders with                accessible location, and require the ESCs to\nconfidence that it is operating effectively and         notify the Chief Financial Officer when a new\nefficiently.                                            ESC is implemented. TIGTA also\n                                                        recommended that the Director, Office of\nWHY TIGTA DID THE AUDIT                                 Research, Analysis, and Statistics, develop\nThis audit was initiated to determine whether the       procedures requiring the review of risk\nIRS has an efficient process for managing risks         management activities of the ESCs on a routine\nto the achievement of its strategic objectives.         basis. Finally, TIGTA recommended that the\nThis review is part of our Fiscal Year 2011             Chief Financial Officer and the Director, Office of\nAnnual Audit Plan and addresses the major               Research, Analysis, and Statistics, jointly\nmanagement challenge of Leveraging Data to              monitor and evaluate the MITS organization\xe2\x80\x99s\nImprove Program Effectiveness and Reduce                risk management initiative to study the potential\nCosts.                                                  benefits in moving towards a more formal\n                                                        IRS-wide risk management process.\nWHAT TIGTA FOUND\n                                                        IRS management agreed with two\nThe IRS can take additional actions to improve          recommendations. Management stated they\nits risk management process. Specifically,              plan to compile a list of ESCs and monitor the\nTIGTA found that the efficiency of the Executive        MITS organization\xe2\x80\x99s risk management initiative.\nSteering Committee\xe2\x80\x99s (ESC) risk management              However, management disagreed with our\nefforts could be improved by developing                 recommendation to develop procedures to guide\nguidelines detailing how the ESCs should                the risk management activities of the ESCs,\nidentify, assess, address, and monitor risks            require the ESCs to post risk information, and\napplicable to their responsible areas. In               perform ongoing reviews of the ESCs\xe2\x80\x99 risk\naddition, the IRS should implement a                    management efforts. TIGTA maintains that\nmethodology that supports the timely sharing of         procedures, better information sharing, and\nidentified risks between the ESCs. Further,             periodic assessments of the IRS risk process\nregular internal reviews of the ESCs\xe2\x80\x99 risk              would provide additional assurance that it is\nmanagement activities would assist                      effectively managing corporate risks.\nmanagement in ensuring the ESCs are\noperating effectively. By taking these actions,\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                          September 2, 2011\n\n\n MEMORANDUM FOR CHIEF FINANCIAL OFFICER\n                DIRECTOR, OFFICE OF RESEARCH, ANALYSIS, AND\n                STATISTICS\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Risk Management Efforts Could Be Improved\n                             With Clearly Defined Procedures and Expanded Information Sharing\n                             (Audit # 201010020)\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS) risk\n management process. The overall objective of this review was to determine whether the IRS has\n an efficient process for managing risks to the achievement of its strategic objectives. Our review\n focused specifically on the risk management efforts of the IRS\xe2\x80\x99s Executive Steering Committees\n as this is the overall vehicle the IRS uses to manage organization-level risks. This review is part\n of the Treasury Inspector General for Tax Administration\xe2\x80\x99s Fiscal Year 2011 Annual Audit Plan\n and addresses the major management challenge of Leveraging Data to Improve Program\n Effectiveness and Reduce Costs.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me at (202) 622-6510 if you have questions or\n Nancy A. Nakamura, Assistant Inspector General for Audit (Management Services and\n Exempt Organizations), at (202) 622-8500.\n\x0c                    Risk Management Efforts Could Be Improved With Clearly Defined\n                            Procedures and Expanded Information Sharing\n\n\n\n\n                                               Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          Procedures and Better Information Sharing Could Improve\n          the Efficiency of the Executive Steering Committees ................................. Page 3\n                    Recommendation 1:.......................................................... Page 5\n\n                    Recommendation 2: .................................................................... Page 6\n\n          Additional Analyses of the Internal Revenue Service\xe2\x80\x99s\n          Risk Management Practices May Identify Potential Improvements ............ Page 6\n                    Recommendation 3:.......................................................... Page 7\n\n                    Recommendation 4:.......................................................... Page 8\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 9\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 11\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 12\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 13\n\x0c        Risk Management Efforts Could Be Improved With Clearly Defined\n                Procedures and Expanded Information Sharing\n\n\n\n\n                        Abbreviations\n\nCFO               Chief Financial Officer\nERM               Enterprise Risk Management\nESC               Executive Steering Committee\nIRS               Internal Revenue Service\nMITS              Modernization and Information Technology Services\nOPERA             Office of Program Evaluation and Risk Analysis\n\x0c                 Risk Management Efforts Could Be Improved With Clearly Defined\n                         Procedures and Expanded Information Sharing\n\n\n\n\n                                            Background\n\nIn general, risk management can be defined as the identification of possible future events which\nmay impact the ability of an organization to meet its objectives and the implementation of\nactions to address those events. In January 2005, the Government Accountability Office\nidentified risk management as an area of concern in the Federal Government. For example,\nchallenges facing the Internal Revenue Service (IRS) include the impact of significant tax law\nchanges, growing impact of international tax law issues, increased sophistication of efforts to\nevade compliance, and increased service expectations by American taxpayers and tax\npractitioners.\nThe IRS is a large and complex organization, comprised of 4 operating divisions and\n16 functional offices, with a total staff of more than 94,000 employees. In order to address areas\nof significant organization-level concerns, IRS senior management utilizes 26 Executive Steering\nCommittees (ESC) that are generally comprised of representatives from multiple IRS functions.\nThe ESCs cover a broad scope of issue areas, including human capital, data security,\ninfrastructure enhancements, taxpayer compliance, operational readiness, and legislative changes\n(such as implementation of the recently enacted health care legislation). The IRS\xe2\x80\x99s risk\nmanagement efforts are also broadly supported by its 5-year strategic plan, which identifies its\noverall program goals and anticipated general risk areas.\nEnterprise risk management (ERM) is an emerging discipline whereby an organization\nimplements a process across the organization designed to identify potential events that may\naffect the organization and manage risk to provide reasonable assurance regarding the\nachievement of organizational objectives. A fundamental concept of ERM is that it considers\nactivities at all levels of the organization and identifies entity-wide risks. This structure is\nsupported in some organizations, especially those that are larger and more complex, by a\ndedicated executive and staff specifically responsible for organizational risk management.\nGuidance regarding ERM practices has been developed by a number of private and government\norganizations and continues to be expanded. For example, the Committee of Sponsoring\nOrganizations1 published an ERM framework in September 2004 to assist entities in moving\ntowards a fuller risk management process. According to the Committee of Sponsoring\nOrganizations, a proactive approach to risk management is necessary and includes processes and\n\n\n\n1\n  The Committee of Sponsoring Organizations is a voluntary private-sector organization, established in the United\nStates, dedicated to providing guidance to executive management and governance entities on critical aspects of\norganizational governance, business ethics, internal control, enterprise risk management, fraud, and financial\nreporting.\n                                                                                                           Page 1\n\x0c               Risk Management Efforts Could Be Improved With Clearly Defined\n                       Procedures and Expanded Information Sharing\n\n\n\nactivities that are intertwined within an organization\xe2\x80\x99s core activities so that risk management is\nperformed on an ongoing, consistent basis by employees throughout an organization.\nThis review was performed at the IRS Headquarters offices of the Chief Financial Officer\n(CFO); the Office of Research, Analysis, and Statistics; and the Tax Exempt and Government\nEntities Division in Washington, D.C.; the Modernization and Information Technology Services\n(MITS) organization and the Small Business/Self-Employed Division in New Carrollton,\nMaryland; the Wage and Investment Division in Atlanta, Georgia; and the Large Business and\nInternational Division in Chicago, Illinois, during the period September 2010 through May 2011.\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objective. Detailed information on our audit\nobjective, scope, and methodology is presented in Appendix I. Major contributors to the report\nare listed in Appendix II.\n\n\n\n\n                                                                                             Page 2\n\x0c               Risk Management Efforts Could Be Improved With Clearly Defined\n                       Procedures and Expanded Information Sharing\n\n\n\n\n                                 Results of Review\n\nWe believe the IRS can take additional actions to improve its risk management process.\nSpecifically, we found that the efficiency of the ESCs\xe2\x80\x99 risk management efforts could be\nimproved by developing guidelines detailing how the ESCs should identify, assess, address, and\nmonitor risks applicable to their responsible areas. In addition, the IRS should implement a\nmethodology that supports the timely sharing of identified risks between the ESCs. Further,\nregular internal reviews of the ESCs\xe2\x80\x99 risk management activities would assist management in\nensuring the ESCs are operating effectively and coordinating appropriately. By taking these\nactions, we believe the IRS can better ensure its risk activities are effectively coordinated and its\nresources are allocated efficiently to manage risks that may impact its ability to achieve\norganizational goals.\nWe determined that the MITS organization is in the early stages of developing a formalized,\nintegrated risk management framework to manage information technology risks. Specifically,\nMITS management is implementing a dedicated group, headed by a senior executive, to\nspecifically focus on managing risks applicable to IRS information technology. We believe this\ninitiative should be continually monitored by the IRS to study the potential benefits, costs, and\nsteps involved in moving long term towards a more formal IRS-wide risk management process\nsupported by a dedicated senior executive and supporting staff.\n\nProcedures and Better Information Sharing Could Improve the\nEfficiency of the Executive Steering Committees\nAn integral part of the IRS\xe2\x80\x99s efforts to address and monitor organization-level risks to its\nstrategic objectives is the work performed by its ESCs. The dynamic and cross organizational\nnature of the ESCs allows the IRS the opportunity to quickly apply resources to address and\nmonitor IRS-wide risks in emerging areas of high concern via the creation of new ESCs. In\naddition, because the ESCs are comprised of a cross section of senior managers representing the\nIRS\xe2\x80\x99s various functions, this approach helps ensure strong executive involvement in risk\nmanagement activities performed. However, we found the efficiency of the ESCs\xe2\x80\x99 risk\nmanagement efforts could be improved by developing clearly defined procedures and a\nmethodology supporting the timely sharing of information on risks identified.\nSpecifically, we found the IRS has not developed policies and procedures to guide the risk\nmanagement activities of the ESCs. As a result, each ESC must develop its own approach for\ndetermining how risks will be identified, assessed, addressed, and monitored.\nDuring our review, the IRS was unable to provide us with a comprehensive list of the ESCs\ncurrently in operation and whether any risks were being addressed by those ESCs. Based on our\n\n                                                                                              Page 3\n\x0c               Risk Management Efforts Could Be Improved With Clearly Defined\n                       Procedures and Expanded Information Sharing\n\n\n\nresearch, we determined that there were 26 ESCs active (i.e., meeting regularly) at the time of\nour review. We reviewed the charters of 16 sampled ESCs and found that only 10 charters\nincluded a reference to the ESCs\xe2\x80\x99 responsibilities regarding risk management. Further, we\nreviewed the risk management of five randomly selected ESCs and found the methodologies\nused by the five ESCs to identify, assess, address, and monitor the risks identified varied\nsignificantly in form and level of detail. For example, only one of the five ESCs we evaluated\nhad a clearly defined methodology for assessing risk.\nIn addition, we determined that the ESCs can more effectively coordinate their efforts to share\nrisk management practices with other ESCs and senior IRS operating division management.\nSpecifically, the ESCs we reviewed generally did not post information regarding risks in a\nlocation readily accessible to other ESCs or other IRS organizational users, including its\noperating divisions and functional offices. As a result, it is difficult for IRS managers to timely\nidentify crosscutting organizational risks. Although the sharing of risk information is somewhat\nsupported by the IRS\xe2\x80\x99s practice of having some senior managers participate in multiple ESCs,\nwe do not believe that this practice alone is sufficient to fully support the sharing of risk\ninformation. In addition, the lack of a centralized inventory of the active ESCs (and the risks\nthey are addressing) significantly impacts the efficiency of the risk management process.\nA risk management program should include developing policies and procedures that outline the\norganization\xe2\x80\x99s expectations regarding the management of risks and document the process to\nensure it operates effectively. Although the IRS CFO has overall responsibility for supporting\nthe risk management efforts of the IRS, he or she has not yet developed guidelines and\nprocedures to guide the efforts of the ESCs in identifying, assessing, addressing, and monitoring\norganizational risks or a methodology supporting the sharing of information on risks identified.\nFurther complicating the CFO\xe2\x80\x99s efforts, there are no specific procedures that require any function\nwithin the IRS to notify the CFO when a new ESC is being formed. As a result, neither the CFO\nnor any other function within the IRS maintains a current list of all active ESCs, their areas of\nfocus, and specific risks they are responsible for addressing.\nThe ESCs play a critical role in the IRS\xe2\x80\x99s efforts to both meet its objectives and provide\nstakeholders with confidence that it is operating effectively and efficiently. Without clearly\ndefined procedures that outline the IRS\xe2\x80\x99s expectations regarding how risks to organizational\nobjectives should be identified, assessed, addressed, and monitored, each new ESC must expend\nvaluable time and resources developing its own risk management process rather than focusing\ndirectly on the concern it was created to address. Similarly, the lack of readily available ESC\nrisk information impedes the sharing of this information among senior IRS executive\nmanagement. The need to share risk information is significant given the interrelated nature of\nthe areas addressed by the IRS\xe2\x80\x99s various ESCs. Clearly defined procedures and increased\ncoordination will assist the IRS in effectively managing corporate risks that may impact its\nability to achieve organizational goals.\n\n\n                                                                                             Page 4\n\x0c              Risk Management Efforts Could Be Improved With Clearly Defined\n                      Procedures and Expanded Information Sharing\n\n\n\nRecommendations\nRecommendation 1: The CFO should develop policies and procedures to support the risk\nmanagement activities of the ESCs. These procedures should clearly define the process ESCs\nshould follow in identifying, assessing, addressing, and monitoring risks. In addition, the\nprocedures should require the ESCs to post the risks they are addressing in a location readily\naccessible to other ESCs and other users.\n       Management\xe2\x80\x99s Response: CFO management disagreed with this recommendation.\n       Management stated that each ESC uses risk processes appropriate to its function and\n       requiring all ESCs to adhere to a rigid set of policies and procedures may constrain the\n       options for addressing those challenges. However, management did agree to develop limited\n       guidance that allows for flexibility in assessing risks, as needed. CFO management\n       disagreed with establishing procedures that require the ESCs to post the risks they are\n       addressing in a location readily accessible to other ESCs and other users, stating it would\n       not be beneficial. Management stated that ESCs share information, including risks as\n       appropriate, with relevant business units, and variances in issue and risk tracking are\n       addressed separately when ESCs have overlap on pertinent issues. Management also\n       stated that IRS risks and their resolutions change frequently, and having a repository\n       would make the Governance process burdensome and would not add value. Management\n       also believes that the resources required to maintain such a repository are not justifiable.\n       Office of Audit Comment: While the IRS disagreed with the recommendation, it did\n       agree to develop limited guidance for assessing risks, as needed. This type of guidance\n       would meet the intent of our recommendation if it assists the ESCs in considering how risks\n       will be identified, assessed, addressed, and monitored. We believe this type of guidance\n       would help the IRS in better managing corporate risks by ensuring a more comprehensive\n       approach to risk management and minimizing duplication of effort by allowing the ESCs\n       to customize a risk management approach based on the general guidance rather than\n       developing one on their own. In addition, we still believe making ESC risk information\n       readily available will facilitate senior IRS executive management in identifying and\n       sharing crosscutting organizational risks in a more timely and efficient manner and\n       prevent potential conflicting solutions for addressing these risks. The ESCs can also\n       benefit from prior attempts by other ESCs to address crosscutting risks, including\n       successes and lessons learned. During the course of our review, we found that many\n       ESCs already post key information (such as their meeting minutes) in a location readily\n       accessible to other IRS users. As such, we believe that the ESCs could post applicable\n       risk information in a similar manner without expending significant additional resources.\n       If the postings are dated, other ESCs can easily determine if the risk information is\n       current.\n\n\n\n                                                                                            Page 5\n\x0c                 Risk Management Efforts Could Be Improved With Clearly Defined\n                         Procedures and Expanded Information Sharing\n\n\n\nRecommendation 2: The CFO should develop procedures requiring any function within the\nIRS to notify the CFO whenever a new ESC is being implemented. The CFO should use this\ninformation to maintain a current list of all active ESCs and their areas of focus.\n        Management\xe2\x80\x99s Response: CFO management agreed with our recommendation. The\n        CFO coordinates completion of the annual Government Accountability Office Internal\n        Control Management and Evaluation Checklist to evaluate internal controls and reports\n        their status to the Department of the Treasury and the Government Accountability Office.\n        In future checklist updates, the CFO plans to add a series of questions designed to\n        identify current ESC status as well as identify any new ESCs formed, to serve as the basis\n        for compiling a current list of active ESCs annually. The business units will also be\n        given guidance outlining specific documentation that should be maintained for all active\n        ESCs.\n\nAdditional Analyses of the Internal Revenue Service\xe2\x80\x99s Risk\nManagement Practices May Identify Potential Improvements\nWe believe regular internal reviews of the ESCs\xe2\x80\x99 risk management activities would assist\nmanagement in ensuring the ESCs are operating effectively and coordinating appropriately. In\naddition, IRS management should carefully monitor the efforts of the MITS business unit in\nestablishing a formal risk management framework led by a dedicated executive to study the\npotential benefits, costs, and steps involved in moving long term towards a more formal\nIRS-wide risk management process.\nMonitoring the effectiveness of risk management activities is a key component of a properly\nfunctioning risk management process. The Standards for Internal Control in the Federal\nGovernment state that control activities are an integral part of an entity\xe2\x80\x99s planning,\nimplementing, reviewing, and accountability for stewardship of government resources and\nachieving effective results. One key activity in this area is management reviews to compare\nactual performance to planned or expected results throughout the organization and analyze\nsignificant differences.\n\nRegular reviews of the ESCs would assist management in identifying potential\nimprovements in their risk management practices\nWithin the IRS, the Office of Program Evaluation and Risk Analysis (OPERA), which is located\nwithin the Office of Research, Analysis, and Statistics, has overall responsibly for evaluating risk\nmanagement. However, we found that the OPERA has not performed a review of the risk\nmanagement efforts of the ESCs since April 2006.2\n\n\n2\n In performing the 2006 review, the OPERA collaborated with the National Academy of Science to evaluate, via\ncase studies and observations, the IRS\xe2\x80\x99s ERM capabilities.\n                                                                                                       Page 6\n\x0c               Risk Management Efforts Could Be Improved With Clearly Defined\n                       Procedures and Expanded Information Sharing\n\n\n\nAlthough IRS procedures assign responsibility for the performance of risk management reviews\nto the OPERA, they do not specifically require periodic internal reviews of the IRS\xe2\x80\x99s risk\nmanagement process. The reviews could serve a critical purpose by allowing the IRS to ensure\nrisks are continually identified, assessed, addressed, and monitored to effectively and efficiently\nachieve organizational objectives. OPERA management informed us they perform their reviews\nprimarily based on requests from IRS management rather than on an ongoing or routine basis. In\naddition, the general lack of uniform and readily available risk tracking information hinders the\nOPERA\xe2\x80\x99s ability to fully review the risk management activities of the ESCs.\nEvaluation of the IRS\xe2\x80\x99s risk management process will provide the IRS additional assurance that\nrisks are timely identified, assessed, addressed, and monitored to effectively and efficiently\nachieve organizational objectives. These reviews would also allow the IRS to evaluate the\nimplementation of any enhancements it makes to its risk management process as a result of\nimplementing actions to address our first report recommendation.\n\nContinued monitoring of the MITS\xe2\x80\x99 risk management process may identify\npotential benefits for a more formal IRS-wide risk management process\nDuring our review, we determined that the MITS organization is in the early stages of\ndeveloping a formalized, integrated risk management framework to manage information\ntechnology risks. Specifically, MITS organization management is implementing a dedicated\ngroup, headed by a senior executive, to focus on managing risks applicable to IRS information\ntechnology.\nAlthough the OPERA provided early input in April 2010 on the MITS organization\xe2\x80\x99s initiative,\nOffice of Research, Analysis, and Statistics management informed us that they have no plans to\nfurther review this initiative or review the ESCs\xe2\x80\x99 risk management practices. We believe this\ninitiative should be monitored by the IRS in order to fully evaluate the potential benefits, costs,\nand steps involved in moving long term towards a more formal IRS-wide risk management\nprocess supported by a dedicated senior executive and supporting staff. Without a plan to\nmonitor this initiative, the IRS cannot effectively leverage lessons learned from the\nimplementation of the MITS organization initiative in any future improvements it decides to\nmake in IRS-wide risk management efforts.\n\nRecommendations\nRecommendation 3: The Director, Research, Analysis, and Statistics, should develop\nprocedures requiring that the OPERA review the risk management activities of the ESCs on a\nperiodic basis.\n       Management\xe2\x80\x99s Response: IRS management disagreed with our recommendation.\n       Specifically, management stated that the OPERA\xe2\x80\x99s role in risk management has been to\n       evaluate opportunities for applying risk management and conduct risk analyses at the\n\n                                                                                             Page 7\n\x0c              Risk Management Efforts Could Be Improved With Clearly Defined\n                      Procedures and Expanded Information Sharing\n\n\n\n       request of IRS senior leadership. The OPERA serves in an advisory and support role at\n       the request of senior leadership and does not have primary responsibility for identifying\n       and mitigating risks. The recommendation to develop procedures requiring the review of\n       ESC risk management activities on a periodic basis may not provide additional value\n       unless focused on specific needs of IRS senior leadership.\n       Office of Audit Comment: We recognize that, in general, the OPERA performs its\n       work in response to requests from various senior leaders. However, much has changed\n       within the IRS\xe2\x80\x99s risk environment since the April 2006 review, including new legislative\n       requirements, new executives and managers, and new technology. In addition, ERM\n       practices have continued to evolve. Given the OPERA\xe2\x80\x99s extensive past experience in\n       reviewing the IRS\xe2\x80\x99s risk management processes, we believe an updated review of the\n       current IRS-wide risk management process would provide both IRS executives and\n       external stakeholders with additional assurance that the ESCs are operating effectively\n       and coordinating appropriately.\nRecommendation 4: The CFO and the Director, Research, Analysis, and Statistics, should\njointly monitor and evaluate the MITS organization risk management initiative in order to\nincorporate lessons learned from the implementation and study of the potential benefits, costs,\nand steps involved in moving towards a more formal IRS-wide risk management process.\n       Management\xe2\x80\x99s Response: IRS management agreed with our recommendation and\n       stated that the OPERA plans to serve as an advisor to MITS organization senior\n       management in monitoring and evaluating the MITS organization risk management\n       initiative. The MITS organization initiative is expected to clarify MITS organization\n       Enterprise Governance committee responsibilities and create downstream dependence on\n       its ESCs to provide input to support investment recommendations. To address\n       anticipated increased emphasis on the ESC role in investment management, the MITS\n       organization Governance office is compiling information on the roles and responsibilities\n       outlined in each ESC charter. The results will be used to identify improvement\n       opportunities for information technology governance and to develop recommended\n       enhancements (if any) for consideration by the MITS organization Enterprise Governance\n       committee. The CFO will review the MITS organization findings and consider their\n       applicability to an overall IRS-wide risk management process.\n\n\n\n\n                                                                                           Page 8\n\x0c               Risk Management Efforts Could Be Improved With Clearly Defined\n                       Procedures and Expanded Information Sharing\n\n\n\n                                                                                   Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS has an efficient process\nfor managing risks to the achievement of its strategic objectives. To accomplish this objective,\nwe:\nI.     Determined whether the IRS has established an overall framework to guide its efforts to\n       manage risks to the achievement of its strategic objectives.\n       A. Researched the IRS intranet (including the OPERA and the CFO web sites) and the\n          Internal Revenue Manual to identify any applicable policies and procedures that\n          guide the IRS\xe2\x80\x99s risk management process.\n       B. Analyzed the policies and procedures that guide the IRS\xe2\x80\x99s overall risk management\n          process.\n       C. Identified and evaluated any guidance or support provided by the OPERA in assisting\n          the IRS with its development of an overall ERM framework.\n       D. Identified and evaluated any guidance or support provided by the CFO related to the\n          IRS\xe2\x80\x99s ERM framework.\nII.    Assessed whether the IRS has implemented a comprehensive risk management process to\n       effectively and proactively identify, assess, address, and monitor risks to the achievement\n       of its strategic objectives.\n       A. Determined the ESCs\xe2\x80\x99 role in proactively identifying, assessing, addressing, and\n          monitoring risks.\n           1. Based on our research and information provided by the CFO and the OPERA, we\n              identified a population of 26 ESCs that were active in Fiscal Year 2010. Of the\n              26 active ESCs, we found that 9 were crosscutting and 17 were non-crosscutting.\n              We selected a random sample of seven non-crosscutting ESCs. We further\n              analyzed the charter and meeting minutes of the seven sampled non-crosscutting\n              ESCs and all nine of the crosscutting ESCs.\n           2. Utilizing a questionnaire, evaluated the methods used by the ESCs in managing\n              risks. The questionnaire was provided to a random sample of five crosscutting\n              ESCs.\n       B. Evaluated coordination between the ESCs and the IRS\xe2\x80\x99s four operating divisions and\n          the MITS organization in the management of risks to strategic objectives.\n\n                                                                                           Page 9\n\x0c              Risk Management Efforts Could Be Improved With Clearly Defined\n                      Procedures and Expanded Information Sharing\n\n\n\n       C. Evaluated how the OPERA and the CFO provide oversight over the management of\n          risks by the ESCs.\nIII.   Determined whether the IRS is effectively communicating and coordinating risk\n       information developed as a result of the efforts of the ESCs.\n       A. Reviewed the OPERA\xe2\x80\x99s relationship with CFO management in regards to sharing risk\n          information.\n       B. Evaluated whether five randomly selected ESCs have a risk reporting relationship\n          with CFO management and whether the results of their risk management activities are\n          shared with key stakeholders.\n       C. Determined how CFO management uses strategic planning information in the risk\n          management activities of the ESCs.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the IRS\xe2\x80\x99s policies and procedures for\nmanaging risks to the achievement of its strategic objectives. We evaluated these controls by\ninterviewing management, reviewing a sample of the ESCs, and reviewing applicable\ndocumentation.\n\n\n\n\n                                                                                        Page 10\n\x0c             Risk Management Efforts Could Be Improved With Clearly Defined\n                     Procedures and Expanded Information Sharing\n\n\n\n                                                                            Appendix II\n\n                Major Contributors to This Report\n\nNancy A. Nakamura, Assistant Inspector General for Audit (Management Services and Exempt\nOrganizations)\nJeffrey M. Jones, Director\nAnthony J. Choma, Audit Manager\nKanika Kals, Lead Auditor\nYasmin Ryan, Senior Auditor\nAutumn Gill, Evaluator\nDana Karaffa, Evaluator\n\n\n\n\n                                                                                   Page 11\n\x0c              Risk Management Efforts Could Be Improved With Clearly Defined\n                      Procedures and Expanded Information Sharing\n\n\n\n                                                                      Appendix III\n\n                          Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Technology Officer OS:CTO\nDeputy Chief Financial Officer OS:CFO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief Financial Officer OS:CFO\n       Director, Office of Research, Analysis and Statistics OS:RAS\n\n\n\n\n                                                                            Page 12\n\x0c   Risk Management Efforts Could Be Improved With Clearly Defined\n           Procedures and Expanded Information Sharing\n\n\n\n                                                    Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 13\n\x0cRisk Management Efforts Could Be Improved With Clearly Defined\n        Procedures and Expanded Information Sharing\n\n\n\n\n                                                        Page 14\n\x0cRisk Management Efforts Could Be Improved With Clearly Defined\n        Procedures and Expanded Information Sharing\n\n\n\n\n                                                        Page 15\n\x0cRisk Management Efforts Could Be Improved With Clearly Defined\n        Procedures and Expanded Information Sharing\n\n\n\n\n                                                        Page 16\n\x0c'